Pulse Detail — Threat Intelligence

PULSE NAME

Actor Combines Variety of Malware To Target Execs

WHITE AlienVault 2016-04-06 Modified: 2016-04-06

193

IOCs

HIGH VOLUME

Since January 2016, a financially motivated threat actor whom Proofpoint has been tracking as TA530 has been targeting executives and other high-level employees, often through campaigns focused exclusively on a particular vertical. For example, intended victims frequently have titles of Chief Financial Officer, Head of Finance, Senior Vice President, Director and other high level roles. Additionally, TA530 customizes the email to each target by specifying the target’s name, job title, phone number, and company name in the email body, subject, and attachment names. On several occasions, we verified that these details are correct for the intended victim. While we do not know for sure the source of these details, they frequently appear on public websites, such as LinkedIn or the company’s own website. The customization doesn't end with the lure; the malware used in the campaigns is also targeted by region and vertical.

Indicators of Compromise (193)

All domain FileHash-MD5 URL FileHash-SHA1

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	au-tdc.com	—	2016-04-06
domain	mletterinklandoix.net	—	2016-04-06
domain	agentclientmediap.me	—	2016-04-06
domain	rabbitons.pw	—	2016-04-06
domain	brookmensoklinherz.org	—	2016-04-06
domain	agentofficer.me	—	2016-04-06
domain	jherecliallowalclient.me	—	2016-04-06
domain	au-tda.com	—	2016-04-06
domain	notallowallownothingaal.me	—	2016-04-06
domain	mediapartnerssays.me	—	2016-04-06
domain	oklinjgreirestacks.biz	—	2016-04-06
domain	sofficeraclientagent.me	—	2016-04-06
FileHash-MD5	ac73097a37bf4effd54ff65caec9fe6a	—	2016-04-06
FileHash-MD5	b3a0b61ce1bb8db01dbdf7d64ec4b4a0	—	2016-04-06
FileHash-MD5	259e1520294401410d8c42cfa768a50a	—	2016-04-06
FileHash-MD5	943faefda16855f0345edfee915c0cdb	—	2016-04-06
FileHash-MD5	bcdb7ed813d0d33b786ae1a4dfa09a2c	—	2016-04-06
FileHash-MD5	46be9db18d1d1602ccd26d6b9944a048	—	2016-04-06
FileHash-MD5	a51be357abb2bb1cdf977ebe05beeb85	—	2016-04-06
FileHash-MD5	b1acb11dbedd96763ee00dd15ce057e3	—	2016-04-06
URL	http://vinastudio.at/8TkXUJ.php	—	2016-04-06
URL	http://vascoboiblog.space/update/KB25421	—	2016-04-06
URL	http://ykyru.com/oslhhtx/index.php	—	2016-04-06
URL	http://hatha.it/6tnLEG.php	—	2016-04-06
URL	http://taftee.in/JnGQ1s.php	—	2016-04-06
URL	http://centralescorts4u.com/XqVFBm.php	—	2016-04-06
URL	http://es.flyinghippo.com/ScXajM.php	—	2016-04-06
URL	http://apptitudes.fr/eC2F1f.php	—	2016-04-06
URL	http://ahtubafishing.com/CXjq48.php	—	2016-04-06
URL	http://t-firma-en.itechwebsolutions.com/U2Ac7i.php	—	2016-04-06
URL	http://31.192.105.24/mtv/gate.php	—	2016-04-06
URL	http://galleryamjadi.ir/image/flags/he.exe	—	2016-04-06
URL	http://emotionwerbung.de/389Tak.php	—	2016-04-06
URL	http://budni.info/zYNKoq.php	—	2016-04-06
URL	http://raximpex.com/image/data/office.exe	—	2016-04-06
URL	http://apngwen.com/rqgbfhq/index.php	—	2016-04-06
URL	http://180.235.132.105:8843	—	2016-04-06
URL	http://95.170.95.81:5445	—	2016-04-06
URL	http://conseils-finance.com/kJsnUb.php	—	2016-04-06
URL	http://apngwen.com/yvovgw65u/index.php	—	2016-04-06
URL	http://golcukrehberi.com/6JQEva.php	—	2016-04-06
URL	http://itvsoft.asia/rRwKxj.php	—	2016-04-06
URL	http://inicc.yucatan.gob.mx/UIagAy.php	—	2016-04-06
URL	http://jjcampbell.com/1wK5Iy.php	—	2016-04-06
URL	http://event-travel.co.uk/3K6Psd.php	—	2016-04-06
URL	http://mbcqjsuqsd.com/fa7vi1df/index.php	—	2016-04-06
URL	http://officewithout.space/KB998394.exe	—	2016-04-06
URL	http://apartment.od.ua/I35pl6.php	—	2016-04-06
URL	http://sowellness.be/isB2Ac.php	—	2016-04-06
URL	http://acie.edu.np/DFQvsZ.php	—	2016-04-06
URL	http://goldenangels.com.tr/l4Fw8D.php	—	2016-04-06
URL	http://hand-made.by/rQWftY.php	—	2016-04-06
URL	http://sowellness.be/fYvA5U.php	—	2016-04-06
URL	http://behejbrno.com/MixtUZ.php	—	2016-04-06
URL	http://mastfm102.com//wordpress/wpincludes/asalam.exe	—	2016-04-06
URL	http://tugay.com.tr/prkdzF.php	—	2016-04-06
URL	http://usatraveldeals.net/wordpress/wpincludes/load4.php?prot=secrete	—	2016-04-06
URL	http://pdfviewapp.com/?filename=CHEXXi	—	2016-04-06
URL	http://europartners.it/Dd6VPR.php	—	2016-04-06
URL	http://itt-pushkino.org/D2BE6m.php	—	2016-04-06
URL	http://turbosol.asia/l7xydO.php	—	2016-04-06
URL	http://telecom-sa.com/azRXqt.php	—	2016-04-06
URL	http://yardstickglobal.in/Y37Jux.php	—	2016-04-06
URL	http://arcticbear.net/MRGKAC.php	—	2016-04-06
URL	http://fiyaskobirlik.com/UxAK5e.php	—	2016-04-06
URL	http://balustradydrewniane.pl/Fcb7VZ.php	—	2016-04-06
URL	http://divasasbysa.com/wpincludes//kb.exe	—	2016-04-06
URL	http://151.248.121.167:1743	—	2016-04-06
URL	http://liberal.com.mx/0My2EZ.php	—	2016-04-06
URL	http://bem-bakery.com/HPINRS.php	—	2016-04-06
URL	http://apngwen.com/xk0ktpadlj/index.php	—	2016-04-06
URL	http://stevesyachtrepair.com/S8bJFl.php	—	2016-04-06
URL	http://ifawindow.co.uk/0w5MVI.php	—	2016-04-06
URL	http://acmm.org.au/idjFbx.php	—	2016-04-06
URL	http://e-minunat.ro/ZeNpML.php	—	2016-04-06
URL	http://cuentosparahacertefeliz.com/wpincludes/notepad.exe	—	2016-04-06
URL	http://avazuinc.com/D04m5N.php	—	2016-04-06
URL	http://supratimewest.biz/img/green	—	2016-04-06
URL	http://phdfashion.com/wpincludes//calc.exe	—	2016-04-06
URL	http://artistblip.com/QJ9HzW.php	—	2016-04-06
URL	http://ask-us-anything.tk/PsdO76.php	—	2016-04-06
URL	http://dermalightcr.com/tHja9Z.php	—	2016-04-06
URL	http://igotocd.com/rklVaO.php	—	2016-04-06
URL	http://forexonlinebusiness.info/wpincludes/kbe.exe	—	2016-04-06
URL	http://neoad.de/NXy1mb.php	—	2016-04-06
URL	http://146.0.40.33:8843	—	2016-04-06
URL	http://all-4-music.nl/yBDEMc.php	—	2016-04-06
URL	http://ariixhouse.nl/iMVfC4.php	—	2016-04-06
URL	http://loved.kz/yMZFGp.php	—	2016-04-06
URL	http://tbraille.com.br/XAT7zH.php	—	2016-04-06
URL	http://dolphinworld.org/MaB54K.php	—	2016-04-06
URL	http://bulksmsdealer.com/vR3BEX.php	—	2016-04-06
URL	http://mastertrade.tk/12fDze.php	—	2016-04-06
URL	http://vladoveverka.sk/6RGZgC.php	—	2016-04-06
URL	http://granrio.com.br/4A0Hw5.php	—	2016-04-06
URL	http://dentiste-paris-20.fr/IhfweE.php	—	2016-04-06
URL	http://aspectdesigns.com.au/0rTVlG.php	—	2016-04-06
URL	http://asiamaster.kz/vUn1wz.php	—	2016-04-06
URL	http://giosposa.com/Zoe2aN.php	—	2016-04-06
URL	http://krovlyanova.com/image/flags/bf.exe	—	2016-04-06
URL	https://supratimewest.com/README	—	2016-04-06
URL	http://jameswbos.com/v10aAJ.php	—	2016-04-06
URL	http://maxicarga.co/L8HU29.php	—	2016-04-06
URL	http://128.199.186.92:643	—	2016-04-06
URL	http://uvflerpoqgj.com/mwk2ntlx/index.php	—	2016-04-06
URL	http://jadwalpialadunia.in/rG4Rdi.php	—	2016-04-06
URL	http://quadparticle.com/fZ1Y8M.php	—	2016-04-06
URL	http://daddysground.cz/zTVoGb.php	—	2016-04-06
URL	http://jogos.testeqi.com.br/4t1E7X.php	—	2016-04-06
URL	http://dorisbociort.ro/6sZTLc.php	—	2016-04-06
URL	http://wallpapersau.net/igrHKY.php	—	2016-04-06
URL	http://uzmankirala.com/KhVRbv.php	—	2016-04-06
URL	http://zolty.eu/bnFKET.php	—	2016-04-06
URL	http://41.79.173.47:443	—	2016-04-06
URL	http://mangohills.net/RxIoCE.php	—	2016-04-06
URL	http://mariannmahoney.com/wpincludes//office.exe	—	2016-04-06
URL	https://supratimewest.com/TODO	—	2016-04-06
URL	http://audio-hacks.com/wpincludes/salam.exe	—	2016-04-06
URL	http://raincchina.com/NSrcQE.php	—	2016-04-06
URL	http://thebeautythesis.com/UaEigq.php	—	2016-04-06
URL	http://rabbitons.pw/cache	—	2016-04-06
URL	http://kotoberlin.com/wpincludes/office.exe	—	2016-04-06
URL	http://otkritka.com.ua/MVc9hg.php	—	2016-04-06
URL	http://212.183.20.78:444	—	2016-04-06
URL	http://zhahan.kz/TSOXQL.php	—	2016-04-06
URL	http://timeaddedon.com/CBRrYv.php	—	2016-04-06
URL	http://dunwoodypress.com/DJHMXS.php	—	2016-04-06
URL	http://ecoinfo.kz/LUoMqa.php	—	2016-04-06
URL	http://otkritka.com.ua/tjhW2B.php	—	2016-04-06
URL	http://morainecare.com/eQRvWp.php	—	2016-04-06
URL	http://pc.all-to-all.com/Ryfq7Y.php	—	2016-04-06
URL	http://37.34.52.185:444	—	2016-04-06
URL	http://updatesarecoming1000.space/usa/kb	—	2016-04-06
URL	http://laasciidle.com/wpincludes/office.exe	—	2016-04-06
URL	http://ihadthat.com/1NEnbi.php	—	2016-04-06
URL	http://apexminerals.com.au/k8HqvL.php	—	2016-04-06
URL	http://allescorts4u.com/dfgOwA.php	—	2016-04-06
URL	http://162.244.32.157:8458	—	2016-04-06
URL	http://larosa.com.au/8beYcC.php	—	2016-04-06
URL	http://london-escortsagency.org.uk/fdnmyD.php	—	2016-04-06
URL	http://mehmetekinci.biz/Hg3V8b.php	—	2016-04-06
URL	http://sociallyvital.com/images/office.exe	—	2016-04-06
URL	http://sohbetodalari.net/GnOLXh.php	—	2016-04-06
URL	http://supratimewest.biz/img/captcha	—	2016-04-06
URL	http://myteaminspired.com/mzTOIv.php	—	2016-04-06
URL	http://grafitti-photo.com/IGHOYq.php	—	2016-04-06
URL	http://empiredigitalmarketing.com/09LihY	—	2016-04-06
URL	http://rabbitons.pw/css	—	2016-04-06
URL	http://zuiyougou.com/Pfy2Qs.php	—	2016-04-06
URL	http://silstop.pl/Si0cCJ.php	—	2016-04-06
URL	http://satelliterent.com/image/data/logo.exe	—	2016-04-06
URL	http://edlenimaging.com/be5AmR.php	—	2016-04-06
URL	http://ug-stroy.com/image/flags/tg.exe	—	2016-04-06
URL	http://lptech.sk/g3lfoj.php	—	2016-04-06
URL	http://batiatus.net/wp-includes/office.php	—	2016-04-06
URL	http://ykyru.com/eipqcxxb/index.php	—	2016-04-06
URL	http://179.43.160.47:20010	—	2016-04-06
URL	http://31.192.105.24/1.exe	—	2016-04-06
URL	http://verybigloan.com/1vR9hu.php	—	2016-04-06
URL	http://lazycranch.us/PtAg1I.php	—	2016-04-06
URL	http://australianmotorinns.com/9ctKlH.php	—	2016-04-06
URL	http://funzone-veza.sk/Owm50c.php	—	2016-04-06
URL	http://anilyildirim.net/zn9mur.php	—	2016-04-06
URL	http://indonesiandomains.com/e9vsxj.php	—	2016-04-06
URL	http://macphoto.nl/7NBUqj.php	—	2016-04-06
URL	http://dineroexperto.pe/zOesbw.php	—	2016-04-06
FileHash-SHA1	cf3dff8bcd402f8c6f38239a9b800d76df2bfa57	—	2016-04-06
FileHash-SHA1	da5f1a08d01c09ee1d942ffa92dff20ff758af9c	—	2016-04-06
URL	http://muel.altervista.org/z1ho2W.php	—	2016-04-06
URL	http://highclassescorts4u.com/Snuxg7.php	—	2016-04-06
URL	http://www.kiryanaking.com/system/logs/putty.exe	—	2016-04-06
URL	http://monicasalvador.com.ar/btWiaQ.php	—	2016-04-06
URL	http://spartanleather.com.au/image/flags/rsa.exe	—	2016-04-06
URL	http://en.theolympiaschools.edu.vn/FCfXeB.php	—	2016-04-06
URL	http://vancouverdispensarycoalition.ca/euqUb5.php	—	2016-04-06
URL	http://campaignforyoungamerica.org/LT3YRB.php	—	2016-04-06
URL	http://ofertarelampago.com.br/4jiPBG.php	—	2016-04-06
URL	http://www.vascoboiblog.club/0x00/gate.php	—	2016-04-06
URL	http://naipeclandestino.com.br/image/data/office.exe	—	2016-04-06
URL	http://ggvidrosautomotivos.com.br/KMYz1s.php	—	2016-04-06
URL	http://gitafashion.com/image/flags/putty.exe	—	2016-04-06
URL	http://abettermindset.com/images/office.exe	—	2016-04-06
URL	http://stickerplug.com/image/flags/config.exe	—	2016-04-06
URL	http://international.woptimo.com/YglxHK.php	—	2016-04-06
URL	http://premierdisneyvilla.com/QXeHOy.php	—	2016-04-06
URL	http://thebesttshirtsonline.com/CF9iM8.php	—	2016-04-06
URL	http://directoryassistanceamerica.com/XeBUDN.php	—	2016-04-06
URL	http://antalyanalburiye.com/image/payment/client.exe	—	2016-04-06
URL	http://dsmartbuy.com/image/data/office.exe	—	2016-04-06
URL	http://updatesarecoming1000.space/usa/kb37892.exe	—	2016-04-06
URL	http://brightapparel3.com/image/data/msoffice.exe	—	2016-04-06
URL	http://pretenlignesansenquetedecredit.com/wp-includes/kis.exe	—	2016-04-06
URL	http://galaxysportsonline.com/system/logs/office.exe	—	2016-04-06

References (2)

↗ https://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs ↗ https://www.proofpoint.com/sites/default/files/proofpoint-personalized-actor-iocs.pdf